Identity theft is a prolific, expensive crime for businesses and customers alike — according to Javelin, 27 million US consumers fell victim to identity fraud in 2021 alone. The Red Flags Rule helps prevent identity theft by requiring certain businesses to create a plan for its detection and mitigation. Read on to find out if the Red Flags Rule applies to your business and what actions you’ll need to take if it does.
What is the Red Flags Rule?
The Red Flags Rule is a rule created by the Federal Trade Commission (FTC) in 2008 that requires certain businesses and organizations to develop and implement a written program designed to detect, prevent, and mitigate identity theft.
Why is the FTC Red Flags rule important?
The Red Flags Rule protects your business and customers against the threat of identity theft and its associated costs. Furthermore, it increases public trust and illustrates that your business is doing its part to protect customers’ identities and their personal information.
It’s also a legal requirement overseen by the FTC and several other agencies. If following the Red Flags Rule is required for your business, failing to develop a rigorous plan can result in financial penalties.
Who does the Red Flags Rule apply to?
Any financial institution or creditor that has “covered accounts” must follow the Red Flags Rule. Financial institutions may include banks, credit unions, fintech companies, and some cryptocurrency exchanges.
A creditor is any business that regularly defers payment or grants and/or arranges credit. This includes anyone that uses credit reports or advances funds, even if they’re not considered a creditor in the traditional sense. Examples include car dealerships, non-profits, and a large number of healthcare providers, from hospitals to small private clinics.
If your business is a financial institution or a creditor, the next question is whether you have covered accounts. The Red Flags Rule applies to any customer account used for personal, family, or household purposes and allows or involves multiple transactions.
Examples of covered accounts governed by the Red Flags Rule include clinic patient accounts, checking or savings accounts, and mortgage loans.
How to comply with the Red Flags Rule
To comply with the Red Flags Rule, you’ll need to create a written plan that outlines how your business will approach each of the four elements of the red flags framework. There is a Red Flags Rule template you can follow, but you’ll need to make changes as necessary to reflect your company size, complexity, or ways of doing business.
Once your plan is written, the Board or a member of senior management must review and approve it. They will ensure that the plan contains strategies to identify, detect, prevent, and continuously monitor for identity theft.
The four essential steps to complying with the Red Flags Rule are:
1. Identify relevant red flags.
It’s your responsibility to determine which red flags would be the most relevant, likely, and harmful in your business. While these can vary depending on your business, red flags are generally sorted into five categories:
- Warnings, alerts, or notifications from a credit reporting agency
- Documents that appear fake, altered, or otherwise inauthentic
- Unusual activity taking place in a covered account (for example, an inactive account suddenly making several transactions in one day)
- Suspicious or inconsistent personal information (such as a wrong address on a document)
- Notifications from customers, law officials, and other entities regarding identity theft
2. Detect red flags.
Once you’ve identified which red flags may impact your business, you must find a way to effectively discover them if and when they occur. Identity verification is often a key part of the detection phase as it involves ensuring individuals are who they say they are. Software that can automatically detect suspicious transactions and verify identities can make it easier for your team to identify red flags.
3. Prevent and mitigate identity theft.
Your plan should detail exactly what actions you’ll take after detecting a red flag, such as launching an investigation or notifying law enforcement. This should minimize the current incident’s impact and also influence your plan for future incidents.
4. Continuously update your program.
The Red Flags Rule is not something your team can create and then forget about. When new risks arise or business operations shift, you’ll need to make necessary edits to reflect these changes. You must also continuously educate your staff about identity theft risks.
How identity verification helps detect red flags
Identity verification (IDV) is a critical element of complying with the Red Flags Rule, especially during the detection step. The first indications of identity theft are often suspicious documents or inconsistent personal information such as Social Security numbers. Without proper identity verification processes, your business won’t effectively monitor red flags in these areas or be able to act on them in a timely fashion.
If a new customer opens a covered account, you can use IDV to determine whether the person truly is who they say they are. Verifying their name, address, government ID, and other information is often sufficient to deter bad actors and comply with the Red Flags Rule.
When users access existing covered accounts, you can also use identity verification to prevent account takeover fraud. For example, a user wishing to change their account password could be prompted to re-verify their identity, thus protecting their account.
To provide the best possible user experience, these strategies should be part of a progressive risk segmentation approach, where each customer goes through different levels of friction depending on their risk level. For example, you can protect typical sign-ons by enforcing two-factor authentication. But if the situation seems more suspicious, such as a large transaction or a distant IP address, you could require the individual to reverify their identity by submitting a selfie and ensuring it matches the government ID they submitted when they created their account.
Essentially, the higher the risk, the more complex your verification process should be. And if a particular red flag is extremely likely or harmful, you should investigate it as soon as possible.
How Persona can help
Identity verification can be a burdensome, manual process. And without an effective way to monitor for and detect red flags, complying with the Red Flags Rule can be difficult.
Simplify everything onto one platform with Persona. Automated monitoring and customizable verification can streamline compliance. Plus, you’ll be able to detect more fraud through holistic risk signals, deter bad actors, and still provide a seamless experience for legitimate users.
Level up your compliance today
The Red Flags Rule is an essential part of preventing identity theft and protecting both your business and your customers. If your business operations make you a creditor under the terms of the Red Flags Rule, you must write and implement a policy to detect and deter bad actors from improperly accessing accounts. An automated identity verification platform like Persona can help.